Disable SlidingExpiration for certain requests

Jan 25, 2015 at 8:40 PM
In my app I use periodic ajax requests to poll a server for updates. I'm using CookieAuthenticationMiddleware with the SlidingExpiration enabled. Because of the polling requests the cookie never expires. Is there a way to tell the middleware to don't renew cookie for that requests?
Coordinator
Jan 26, 2015 at 11:23 PM
Not directly. The best hack I see is you could shim the CookieAuthenticationOptions.CookieManager and conditionally suppress the cookie either when reading it from the request or writing it to the response.
Jan 27, 2015 at 4:52 AM
Edited Jan 27, 2015 at 4:52 AM
Thanks Tratcher!

I'm thinking to make a special attribute class similar to AllowAnonymousAttribute which will indicate that the request to this action shouldn't renew authentication cookie. How I could check if the attribute is applied to the action in the authentication middleware? Are there some examples?
Coordinator
Jan 27, 2015 at 10:40 PM
The cookie is read on the way in, so by the time you reach the MVC controller it's too late. I think you'll need to hook into the cookie manager and do your own filtering at that point.
Jan 28, 2015 at 6:18 AM
Thanks Tratcher! I think I solved it :) Here is my cookie manager:
    public class MyCookieManager : ICookieManager
    {
        private readonly ICookieManager _cookieManager;
        public MyCookieManager(ICookieManager cookieManager)
        {
            if (cookieManager == null)
            {
                throw new ArgumentNullException("cookieManager");    
            }

            _cookieManager = cookieManager;
        }

        public string GetRequestCookie(IOwinContext context, string key)
        {
            return _cookieManager.GetRequestCookie(context, key);
        }

        public void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
        {
            if (context.Get<bool>("IgnoreSlidingExpiration"))
            {
                return;
            }

            _cookieManager.AppendResponseCookie(context, key, value, options);
        }

        public void DeleteCookie(IOwinContext context, string key, CookieOptions options)
        {
            _cookieManager.DeleteCookie(context, key, options);
        }
    }
And in my attribute filter class I set the IgnoreSlidingExpiration in the OWIN context:
    public class IgnoreSlidingExpirationFilterAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var owinContext = filterContext.RequestContext.HttpContext.Request.GetOwinContext();
            owinContext.Set("IgnoreSlidingExpiration", true);
            base.OnActionExecuting(filterContext);
        }
    }
Now I just apply the attribute to my actions and voilà, the magic happens!

I'm surprised how easy it is to do with the new OWIN architecture. I couldn't image how I would do it with traditional asp.net forms authentication. Thanks to all Katana team!